Hexclave

Hexclave (formerly Stack Auth) is an open-source user infrastructure platform that goes far beyond authentication. Where most auth tools stop at sign-in, Hexclave ships a full catalog of user-facing capabilities — auth, teams, RBAC, API keys, payments, emails, analytics with session replays, webhooks, a data vault, and a launch checklist — all built on the same user model and toggled from a single dashboard with no code changes required.

The platform is designed for developers who want to own their infrastructure without assembling it piecemeal. Drop in one component for the whole auth flow, switch on payments when you’re ready to charge, and add analytics when you need to understand your users. Every capability shares the same identity layer, so user-level billing, team-scoped permissions, and per-user analytics work together without glue code.

Hexclave is available as a managed cloud service and as a fully self-hosted deployment. The client SDKs (MIT) and server components (AGPLv3) are 100% open-source, with enterprise licenses available for organizations that need different terms. Your data is always exportable, and the self-hosted path gives you complete operational control.

What You Get

• Authentication - Passkeys, OAuth, email/password, magic links, and CLI auth in a single drop-in component, with auth methods toggled from the dashboard and no code changes required.
• Teams & workspaces - Multi-tenant team structures with workspace switchers, email-based invitations that auto-sign up new users, and audit-ready role assignments.
• RBAC - Nested roles with a single permission check that works identically on server and client, defined in the dashboard and enforced anywhere in your code.
• API Keys - Secure API key issuance for users and teams, with plaintext shown only once, automatic leak detection, and instant revocation.
• Payments - Subscriptions, one-time charges, and usage metering with credits via Stripe, billable to a person or an entire team on a single unified model.
• Emails - Transactional and marketing sends from one API with an AI-powered template editor, unified theming, and open/click tracking.
• Analytics - Live active user counts, SQL-queryable event data, natural-language dashboard builder, and session replays — all enabled with a single flag.
• Webhooks - Signed, tamper-proof event webhooks with automatic retries and backoff, configurable from the dashboard in minutes.
• Data Vault - Encrypted per-user secret storage (tokens, keys) locked with your secret so Hexclave never sees the plaintext, accessible server-side in two lines.
• Launch Checklist - A pre-launch task tracker covering domain setup, callback locking, and secret rotation to keep teams aligned before going live.

Common Use Cases

• Launching a SaaS without assembling a stack - A solo developer ships auth, billing, and transactional email in a single weekend by toggling Hexclave’s built-in apps instead of integrating three separate vendors.
• Building a B2B product with team billing - A startup adds workspace-scoped subscriptions so each organization is billed independently, with RBAC ensuring team members can only access what their role permits.
• Replacing Auth0 and Clerk to own your data - A company migrates off a proprietary auth vendor, self-hosts Hexclave on their own infrastructure, and retains full portability of user records.
• Adding API key access for a developer product - A platform issues API keys to users and teams with automatic revocation on leak detection, eliminating the need to build key management from scratch.
• Understanding user behavior without a data stack - A product team enables Hexclave Analytics to get live active counts and session replays immediately, then queries events in plain English to build dashboards.
• Storing OAuth tokens securely per user - An app that integrates with Google Calendar stores each user’s refresh token in the Data Vault, keeping plaintext off the application server entirely.

Under The Hood

Architecture Hexclave is organized as a TypeScript monorepo with a clear separation between the backend server, the admin dashboard, and a suite of framework SDKs. The backend follows a layered, service-oriented pattern where authentication, payment processing, analytics ingestion, and webhook delivery are each encapsulated into dedicated library modules with strict internal contracts, making the system modular and independently testable. A SmartRouter abstraction dynamically discovers API route handlers from the filesystem at startup rather than maintaining a static manifest, enabling new capabilities to be added without touching a central registry. The multi-tenant data model partitions user data by “tenancy,” allowing the same deployment to serve many isolated customer projects — a design that underpins both the managed cloud and self-hosted configurations equally.

Tech Stack The backend is built on Node.js 22 with Next.js 15 as the server runtime, PostgreSQL accessed through Prisma, and ClickHouse for analytics event storage and querying. Stripe handles the payment and subscription infrastructure, while Svix powers signed webhook delivery. The frontend dashboard is a Next.js 15 React application using shadcn/ui components. SDKs are published for Next.js, React, vanilla JavaScript, and TanStack Start, sharing a common interface layer in the @hexclave/shared package. The entire monorepo is orchestrated with Turborepo and pnpm, with Docker Compose managing local dependencies including PostgreSQL, ClickHouse, Inbucket for email testing, and a Stripe mock server.

Code Quality The codebase has comprehensive testing across unit, integration, and end-to-end layers using Vitest. End-to-end tests exercise real API interactions against a running backend, while unit tests cover critical logic like plan entitlement enforcement, email rendering, analytics token handling, and redirect URL validation using carefully crafted test stubs. TypeScript strict mode is enforced across all packages with shared type definitions for API contracts, database schemas, and webhook payloads, ensuring errors surface at compile time rather than runtime. Consistent error handling uses named assertion classes and structured error codes that map cleanly to HTTP status codes. ESLint and changeset-based release management enforce code standards and release hygiene across the monorepo.

What Makes It Unique Hexclave’s defining technical bet is the “apps catalog” model: every user-facing capability (payments, analytics, emails, data vault, etc.) is implemented as an independently togglable app that shares the same underlying user and team identity model. This means billing and session analytics and RBAC all operate on the same user record without synchronization glue code — a sharp contrast to assembling these from separate vendors. The Data Vault’s zero-plaintext-at-rest design, where secrets are encrypted with the customer’s own secret before storage, offers a cryptographic guarantee that Hexclave itself cannot access stored tokens. The AI-integrated analytics layer allows natural-language dashboard construction directly against the underlying ClickHouse data, removing the need for a separate BI tool.

Self-Hosting

Hexclave uses a split licensing model: client SDKs and example code are MIT-licensed, while server components (the backend application) are AGPLv3. The AGPLv3 means that if you run a modified version of Hexclave as a network service and distribute the binary to users, you must make your source modifications available under the same license. For most self-hosters running the unmodified server for internal use, this imposes no practical obligations. Enterprise licenses are available directly from Hexclave for organizations that need MIT terms on the server or require contractual commitments not available under open-source licenses.

Running Hexclave yourself requires a meaningful infrastructure footprint: a PostgreSQL database, a ClickHouse cluster for analytics, an SMTP relay or email delivery service, a Stripe account for payments, and optionally Svix for webhook delivery. The platform ships with Docker Compose configurations for local development and provides a local emulator (QEMU-based) for realistic end-to-end testing without live cloud credentials. You are responsible for database backups, uptime, Postgres and ClickHouse upgrades, and SSL termination. The monorepo is actively developed at over 180 commits per month, so you will need a process for tracking upstream changes and merging them into your deployment.

The managed cloud at hexclave.com handles all of the above automatically: database backups, ClickHouse scaling, Stripe webhooks, SSL, and platform updates are managed for you. The cloud tier also includes support channels, an onboarding call on higher plans, and an SLA that self-hosters must provide themselves. The free tier on cloud covers 10,000 auth users, 100,000 analytics events, and 1,000 transactional emails per month — a reasonable starting point before a self-hosted deployment becomes economically justified.